Netskope Logs (Beta) | Panther Docs

Knowledge Base Community Release Notes Request Demo

Last updated 1 year ago

Was this helpful?

#1924: [don't merge until ~Oct] Notion Logs (Beta)

Change request updated 1 year ago

Overview

Netskope log ingestion is in open beta starting with Panther version 1.72, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther has the ability to fetch Netskope logs by querying the .

How to onboard Netskope logs to Panther

You'll start creating the Netskope source in Panther, generate an API token in Netskope, then return to Panther to finish log source creation.

Step 1: Start creating a Netskope source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Netskope,” then click its tile.
In the slide-out panel, click Start Setup.
Enter a descriptive Name for the source, e.g., "My Netskope logs."
Click Setup.

Step 2: Create API credentials in Netskope

In a separate web browser tab, open the .
In the left-side navigation bar, click Settings.
In the left-side navigation bar of the Settings page, click Tools > REST API v2.
Click New Token.
In the popup modal, configure the following fields:
- Token Name: Enter a descriptive name.
- Expire In: Set an appropriate expiration period.
- Scope: Click Add Endpoint and select the /api/v2/events/data/audit scope.
Click Save.
In the confirmation modal, click Copy Token and store the value in a secure location, as you will need it in the next step.

Step 3: Finish creating the Netskope source in Panther

In the Netskope Domain field, enter the domain name of your Netskope tenant (e.g., corp.goskope.com).
Click Setup. You will be directed to a success screen:
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Supported log types

Panther supports Netskope.Audit logs.

Netskope.Audit

schema: Netskope.Audit
description: Audit logs from the Netskope Audit API
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
    - name: timestamp
      required: true
      description: The timestamp of the audit log.
      type: timestamp
      timeFormats:
        - unix
      isEventTime: true
    - name: type
      required: true
      description: The type of the audit log.
      type: string
    - name: user
      required: true
      description: The user associated with the audit log.
      type: string
      indicators:
        - email
        - username
    - name: is_netskope_personnel
      description: Indicates whether the user is Netskope personnel.
      type: boolean
    - name: severity_level
      description: The severity level of the audit log.
      type: int
    - name: audit_log_event
      required: true
      description: The event description of the audit log.
      type: string
    - name: supporting_data
      required: true
      description: Supporting data associated with the audit log.
      type: json
    - name: organization_unit
      description: The organization unit associated with the audit log.
      type: string
    - name: ur_normalized
      description: The normalized user identifier.
      type: string
    - name: count
      description: The count of the audit log.
      type: int
    - name: _insertion_epoch_timestamp
      required: true
      description: The timestamp of the log insertion.
      type: int
    - name: _id
      required: true
      description: The ID of the audit log.
      type: string

Last updated 1 year ago

Was this helpful?

Overview

Netskope log ingestion is in open beta starting with Panther version 1.72, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

Panther has the ability to fetch Netskope logs by querying the .

How to onboard Netskope logs to Panther

You'll start creating the Netskope source in Panther, generate an API token in Netskope, then return to Panther to finish log source creation.

Step 1: Start creating a Netskope source in Panther

In the left-side navigation bar of your Panther Console, click Configure > Log Sources.
Click Create New.
Search for “Netskope,” then click its tile.
In the slide-out panel, click Start Setup.
Enter a descriptive Name for the source, e.g., "My Netskope logs."
Click Setup.

Step 2: Create API credentials in Netskope

In a separate web browser tab, open the .
In the left-side navigation bar, click Settings.
In the left-side navigation bar of the Settings page, click Tools > REST API v2.
Click New Token.
In the popup modal, configure the following fields:
- Token Name: Enter a descriptive name.
- Expire In: Set an appropriate expiration period.
- Scope: Click Add Endpoint and select the /api/v2/events/data/audit scope.
Click Save.
In the confirmation modal, click Copy Token and store the value in a secure location, as you will need it in the next step.

Step 3: Finish creating the Netskope source in Panther

Navigate back to the Panther Console, to the Set Credentials page where you left off after completing .
In the Netskope Domain field, enter the domain name of your Netskope tenant (e.g., corp.goskope.com).
In the API Key field, paste the API token value you copied from the Netskope Admin console in .
Click Setup. You will be directed to a success screen:
- You can optionally enable one or more .
- The Trigger an alert when no events are processed setting defaults to YES. We recommend leaving this enabled, as you will be alerted if data stops flowing from the log source after a certain period of time. The timeframe is configurable, with a default of 24 hours.

Supported log types

Panther supports Netskope.Audit logs.

Netskope.Audit

Netskope.Audit logs represent activity within a Netskope instance. For more information, see .

schema: Netskope.Audit
description: Audit logs from the Netskope Audit API
referenceURL: https://docs.netskope.com/en/rest-api-v2-overview-312207.html
fields:
    - name: timestamp
      required: true
      description: The timestamp of the audit log.
      type: timestamp
      timeFormats:
        - unix
      isEventTime: true
    - name: type
      required: true
      description: The type of the audit log.
      type: string
    - name: user
      required: true
      description: The user associated with the audit log.
      type: string
      indicators:
        - email
        - username
    - name: is_netskope_personnel
      description: Indicates whether the user is Netskope personnel.
      type: boolean
    - name: severity_level
      description: The severity level of the audit log.
      type: int
    - name: audit_log_event
      required: true
      description: The event description of the audit log.
      type: string
    - name: supporting_data
      required: true
      description: Supporting data associated with the audit log.
      type: json
    - name: organization_unit
      description: The organization unit associated with the audit log.
      type: string
    - name: ur_normalized
      description: The normalized user identifier.
      type: string
    - name: count
      description: The count of the audit log.
      type: int
    - name: _insertion_epoch_timestamp
      required: true
      description: The timestamp of the log insertion.
      type: int
    - name: _id
      required: true
      description: The ID of the audit log.
      type: string